Jump to content
TennShadow

Easier SSL Intergration

Recommended Posts

We all can agree that HTTP is not secure and anytime you login your username and password is sent in clear text.  There have been several people try to add SSL to PHPVMS but have had alots of issues.  I'm not sure what can be done to make SSL easier to use in the next gen version of PHPVMS but I an for it.  I would go SSL if I could.

Share this post


Link to post
Share on other sites

I would second this, I have found a way to do it with the current phpVMS, but I would suggest making the API Servers (e.g. Airport Lookup) HTTPS compatible as well because I've had to write a script to look up airports from a CSV file instead of use the lookup feature at the moment (errors such as Cross-Origin pop up in the console), but I guess you do have to sacrifice some things.

Share this post


Link to post
Share on other sites
On 12/30/2016 at 6:29 PM, Keith said:

We all can agree that HTTP is not secure and anytime you login your username and password is sent in clear text.  There have been several people try to add SSL to PHPVMS but have had alots of issues.  I'm not sure what can be done to make SSL easier to use in the next gen version of PHPVMS but I an for it.  I would go SSL if I could.

When i have built websites in the past and used SSL I've not always but the "whole" site under the HTTPS://.

Im currently waiting for the newly acquired SSL certificate to become active and play with phpVMS (Sim pilots version) and see if there is a way to implement it without much problem. In the past I know it can be a pain in the rear end to fully implement, more so when calling javascript. I know google recomends using https: rather than http when using their CDN scripts.

Back to the point I'm trying to make tho, I'm sure only implementing it on the "login" and "registration" controllers may solve issues since thats mainly the areas of clear text that we want to secure?

Just a thought if its easier implantation your looking for..

Share this post


Link to post
Share on other sites

Just a couple of quick points:

  • HTTPs is more secure
  • Rumor is Google ranks you higher if your website holds an SSL.
  • A lot of the major shared hosting providers now provide a free "Shared SSL" with your monthly package.
  • When you use your website with an SSL, every external .js and .css files should/must be linked in https:// as well.
  • Even if the place where .js and .css files aren't secured(Like the API server), adding https:// will still work.
  • SSLs are dope 

That being said, you can easily create an independent login/registration page and have those pages secured through SSL. It shouldn't affect the rest of your website. I'd say secure the account page, and the change password fields as well.

 

Edited by magicflyer

Share this post


Link to post
Share on other sites

yeah this is needed. I tried to run a site through ssl just recently and it was nothing short of a total disaster.

Share this post


Link to post
Share on other sites

I do not see this being an issue. The url for the system is set in one place and with the addition of a couple of .htaccess rules it should work without issue. As far as making some pages secure and some not I would have to think about that for a bit, there is always a way but the question brings up the question of if it is worth dividing the site up into separate pieces. If a server by chance is not using mod_rewrite then it can be faked using a hook. My goal from the beginning is to keep it as simple as possible as far as the management side.

Share this post


Link to post
Share on other sites

I just installed a SSL cert for the test instance and am having no issue at this point after changing the base url. The only thing that was a hang was the Google Maps API which just required a url change.

I also installed one here for the forum as an added layer of protection but with all the linked images you may get "insecure connection" messages occasionally. I have the proxy plugin running to try and fix all the offsite linked images to work on the https domain but with the size of the database it si going to take some time to complete the update.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...